Information Security Inspection Body
Nixu Certification Oy is a legal entity owned by DNV AS, trading under the brand names DNV and DNV Cyber. Nixu Certification Oy is an accredited independent Information Security Inspection Body, approved by the Finnish National Cyber Security Centre (NCSC-FI). It is also a certification body S047 accredited by the and Finnish Accreditation Service FINAS, accreditation requirement SFS-EN ISO/IEC 17021-1:2015 (ISO/IEC 27006:2015 AMD 2020).
We provide a broad range of information security audits and certification services. Valid certificates issued by Nixu Certification Oy will contain a DNV certification mark, along with the name and address of Nixu Certification Oy, the scope of the certification, the standard against which certification is granted and the date of issue and expiration. If in doubt regarding the validity of a certificate please contact us for verification.
Competence
Our inspection body operations are supervised by Finnish authorities. We meet strict requirements concerning our premises, handling of customer data, skills and methodologies. Our operations have been assessed against ISO/IEC 17021, ISO/IEC 27006, and Katakri 2020 (protection levels II & III, i.e., Secret and Confidential).
Independence
One of the key principles concerning the operations of an inspection body is independence. Our management and personnel are committed to the following principles. In addition, DNV and all of its acquired companies, are committed to not interfering with Nixu Certification Oy’s audits or any of the related processes.
DNV owned Nixu Certification Oy, is independent and impartial in all its operations. Our assessment is based solely on a systematic, transparent inspection process and our auditors' competence and professional expertise. The result of the assessment is based solely on how well the assessed organization meets the assessment criteria. In every assignment, we evaluate possible risks to our independence and act to minimize such risks. Our independence is supervised by our board of directors.
As an inspection body, we do not certify or audit anything that would jeopardize our independence. We do not perform internal audits on our certified customers. The services of Nixu Oy and Nixu Certification Oy, both owned by DNV, are not associated in a way that would jeopardize our independence.
Our audit process
Stage 1 Documentation and interviews
0. Auditing team appointment
1. Kick-off meeting and certification scope definition
2. Documentation review
3. Management interviews
4. Identification of other factors that affect certification
5. Planning of Stage 2
6. (Resolving of non-conformities identified in Stage 1)
Stage 2 Verification
7. Verification of processes and activities against criteria
8. Verification of activities through objectives
9. (Resolving of non-conformities identified in Stage 2)
Certification
10. Preparation for certification decision
11. Making of certification decision
12. Certification monitoring (ongoing surveillance activities)
The certification process
After an approved audit by Nixu Certification Oy, DNV may issue a certificate to the customer. The lead auditor makes a proposal on whether the certificate may be issued. The certification decision is made by the Managing Director of Nixu Certification Oy, or their deputy with a Certification Officer role. The individual granting the certificate shall not have participated in the audit. The certification must be renewed before the validity of the certificate expires. The continued validity of the certificate also requires regular surveillance audits.
If the conditions for certification no longer exist, the certificate may be suspended for a specified time or withdrawn altogether. The certificate may be restored when the conditions are restored. It is also possible to reduce the scope of the certificate.
The right to refuse certification
DNV owned Nixu Certification Oy, like other certification bodies, has the right to refuse certification, even if the certification conditions, as such, were met. This is exceptional and may be considered principally in situations where the branch of activity, ethics of operations, or other apparent reasons are considered grave enough to warrant a refusal of certification. If we decide to exercise our right to refuse certification, we inform the applicant at the earliest possible opportunity and provide reasons for our decision.
Rules on referring to a certificate
When referring to a certificate, it is required that the guideline provided by DNV should be used. When referring to a certificate, the reference should always indicate the name of the entity that obtained the certificate, the certifying body, the audit criteria, and a description of the certified areas (scope).
A reference to the certification may be made if the certificate is valid and the certified entity meets the certification requirements. No reference to the certification may be made before the certification decision is made, and the reference must not be misleading. The certified entity is always responsible for referencing, and it must comply with the guidelines provided by DNV.
A reference to the certification may only be made with respect to the certified activity. If all operations of an organization are not certified, a reference to the certification shall clearly indicate which operations are certified. If the certified part changes or the certificate is suspended or withdrawn, the organization must update all references to the certification to correspond to the changed situation.
Feedback, complaints and claims to revise a decision
In all its operations, DNV owned Nixu Certification Oy, strives for professional and fair conduct. If a customer of Nixu Certification Oy, or other entity is of the opinion that our operations are not up to par, it can file a complaint or a claim to revise a decision, which will be handled according to the procedure illustrated below. We also welcome any free-form feedback on our operations. If you wish to give feedback or make a complaint or a claim to revise a decision, please contact the Managing Director of Nixu Certification Oy, for further instructions.
Complaints and claims to revise a decision are always handled by the Managing Director and a committee appointed by the Managing Director.
The procedure for handling claims to revise a decision:
